exploit-file-download
任意文件下载与 LFI 检测和利用
授权声明
本 Skill 仅用于授权安全测试。使用前请确保:
- 获得目标系统所有者的明确书面授权
- 测试范围和授权内容已明确定义
- 遵守当地法律法规
未经授权的渗透测试是非法行为。
概述
本 Skill 专注于任意文件下载和本地文件包含 (LFI) 类型漏洞的检测与利用。
注意:很多端点实际上是LFI 模式(参数值被当作文件名包含执行),而非真正的文件下载。因此本 Skill 的核心是LFI/文件读取能力。
More from crazymarky/pentest-skills
exploit-xss
Cross-site scripting (XSS) vulnerability detection and exploitation. Supports reflected XSS, stored XSS, DOM-based XSS, and blind XSS testing. Use this skill when user mentions XSS, cross-site scripting, script injection, or needs to test JavaScript injection in parameters, forms, headers, or DOM sources.
15recon-fingerprint
Web fingerprinting and WAF detection using wafw00f, whatweb, nuclei, and httpx. Use this skill when user needs to identify web technologies, detect WAF/CDN, analyze server headers, or fingerprint web applications and frameworks.
15recon-dir-scan
Directory and file enumeration using ffuf, gobuster, dirsearch, and feroxbuster. Use this skill when user needs to discover hidden directories, enumerate files, find backup files, or map application structure through path fuzzing.
14recon-port-scan
Port scanning and service identification using nmap, masscan, and rustscan. Use this skill when user needs to discover open ports, identify running services, detect service versions, or fingerprint operating systems on target hosts.
14recon-subdomain
Subdomain enumeration and DNS reconnaissance using subfinder, amass, dnsx, and other tools. Use this skill when user needs to discover subdomains, perform DNS enumeration, gather DNS records, or find hidden subdomains of a target domain.
13exploit-lfi
本地文件包含 (LFI) 漏洞检测和利用工具。使用 curl、ffuf 等工具测试 LFI 漏洞,支持路径遍历、PHP 伪协议利用、日志投毒 RCE、敏感文件读取。当用户需要检测 LFI 漏洞、利用文件包含漏洞读取服务器文件时使用此技能。
13